ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths #CyberSecurityPulse: From the bug bounties (traditional) to the data abuse bounties Social networks image The Internet giants are going to great lengths to be transparent with their communication about the information they are gathering from their users. In the case...
ElevenPaths Cybersecurity Weekly Briefing 23-29 May Critical-Severity RCE Vulnerability in Cisco Unified CCX Cisco has fixed a critical remote code execution bug in the Java Remote Management Interface of Cisco Unified Contact Center Express (CCX). This...
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
ElevenPaths DNS over HTTPS (DoH) is already here: the controversy is served Recently, the IETF has raised to RFC the DNS over HTTPS proposal. In other words, this means resolving domains through the well-known HTTPS, with its corresponding POST, GET and certifications...
Gonzalo Álvarez Marañón Rock, Paper, Scissors and Other Ways to Commit Now and Reveal Later Have you ever played rock, paper, scissors? I bet you have. Well, let’s put the tin lid on it: how would you play through the phone? One thing is...
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Gabriel Bergel ¿Ransomware in Pandemic or Ransomware Pandemic? No one imagined what could happen in the field of cyber security during the Covid-19 pandemic. Perhaps some colleagues were visionary, or others were basically guided by the statistics...
Innovation and Laboratory Area in ElevenPaths #CyberSecurityReport20H2: Microsoft Corrects Many More Vulnerabilities, But Discovers Far Fewer There are many reports on security trends and summaries, but at ElevenPaths we want to make a difference. From the Innovation and Laboratory team, we have just launched our...
Detecting the Indicators of An AttackDiego Samuel Espitia 1 February, 2021 We always choose to implement prevention and deterrence rather than containment mechanisms in security. However, the implementation of these mechanisms is not always effective or simple to set up or maintain. In the physical world we can see many examples of this, such as photovoltaic cells, trap doors or video cameras. All of these measures prevent or deter criminals from entering a property, but to do their job they require prior configuration and constant maintenance or monitoring. Additionally, these mechanisms cannot detect by themselves whether a criminal is studying possible weaknesses that he can exploit for his criminal objective. Therefore, in order to be truly preventive, they need to be under constant monitoring and investigation of anomalies or suspicious behaviour stored in the videos or events of the installed mechanisms. Setting Up Systems for Prevention and Deterrence The same happens with information security systems, where all the technical resources that are set up seek to prevent or deter, for which they take as a basis for configuration the characteristics that make it possible to detect attacks that are known and that, depending on each protection mechanism, are set up within the detection and alert engines, so that the monitoring systems can be warned of the presence of a threat.Therefore, as with physical security, these are mechanisms that, if not monitored and kept up-to-date in their detection settings, become systems that can be analysed by criminals to detect flaws that can be exploited. Each technology has automatic or manual ways of updating detection sensors to maintain these updates. For example, traditional antivirus systems receive constant updates to detection methods, and updated systems that use Machine Learning learn to detect threats using samples of different types of malware, such as those we have in our CARMA tool for Android threats. Indicators of Compromise (Iocs) As an Updating Mechanism However, one of the most popular mechanisms for keeping configurations constantly updated is Indicators of Compromise (IoC), which are pieces of forensic evidence that have been collected after an incident to identify common patterns such as IP addresses, domains or hashes that have been previously used and update detection sensors to qualify any action within the network that contains one of these pieces of evidence as a threat. One of the prevention techniques is to conduct research on alerts from monitoring systems to determine whether the actions collected can be related to previously reported incidents in the world. This method in information security is known as Threat Hunting, being the most complete and complex methodology for the detection of possible intrusions that have bypassed the established controls, using IoCs as a basis for comparison. From Reactive to Proactive Detectors What if the offender uses totally unknown mechanisms? What if the malware does not touch the disk and the antivirus cannot compare with its signatures? What if the IPS does not have this data frame within its alert comparisons? What happens is that nothing is alerted, the monitoring, no matter how persistent it is, will not receive any anomaly alarm and the criminal, after a rigorous analysis of our security systems, would have found the breach or the technique to hide and achieve his objective. In many cases, this is what it has been happening in the cyber incidents that have been reported this year, so it is necessary that the information security areas begin to change the focus from reactive detectors, such as IoC, to proactive detectors, which allow them to detect threats or incidents at the same time they happen and do not depend on prior knowledge of other incidents Indicators of Attack (IoA) This is what has been called Indicators of Attack (IoA), which allows detection teams (Blue Team) to identify events by behavioural patterns, for example a network scan, a communication to a C&C or any behaviour that gives signals that something has bypassed the network’s defences. Because of this particularity, it is complicated to have a common list or database of IoA’s, as they are tied to the tactics shown in Mitre’s ATT&CK matrix and to the security characteristics of each company, using context to determine when an action is or is not an indicator of attack. For this reason, implementation is not easy and requires in-depth knowledge of the normal IT activities of all departments in an organisation, implementation of Zero Trust Network Access systems and implementation of network traffic controls in all systems that manage information, in order to have the following basic activities in place for IoA detection: Analysis of all connections with a destination outside the corporate network, giving priority to destinations marked as malicious or to places where communications should not be made from the company.Any attempt to traffic the network through unconventional ports or services that have been enabled within the network or during off-hours.Any equipment that has multiple active connections or attempts to connect to equipment within the network that they do not have permission to connect to or do not have in their connection history.Reporting of repeated events, such as malware or malicious traffic, on one or more computers by detection systems.User authentication processes, involving any simultaneous connection or failed attempts. These constant investigations initiate the generation of the IoA knowledge base and improve incident response processes. In this way the system is based not on data that has happened and can be evaded by attackers, but on activities and techniques associated with both attack tactics and the organisation’s own network characteristics. Cyber Security Weekly Briefing January 23-29CVE 2020-35710 or How Your RAS Gateway Secure Reveals Your Organisation’s Intranet
ElevenPaths Cyber Security Weekly Briefing 27 February – 5 March HAFNIUM attacks Microsoft Exchange servers with 0-day exploits Microsoft has detected the use of multiple 0-day exploits to carry out targeted attacks against on-premise versions of Microsoft Exchange Server (2013,...
Juan Elosua Tomé New FARO Version: Create Your Own Plugin and Contribute to Its Evolution We are pleased to announce the latest version of FARO, our open-source tool for detecting sensitive information, which we will briefly introduce in the following post. Nowadays, any organisation can...
Innovation and Laboratory Area in ElevenPaths Telefónica Tech’s Cybersecurity Unit Becomes Part of The European Commission’s Cybersecurity Atlas Telefónica Tech’s Innovation and Laboratory Area in cyber security has been included as part of the European Commission’s Cybersecurity Atlas, a knowledge management platform that maps, classifies, visualises and...
Franco Piergallini Guida How to Trick Apps That Use Deep Learning for Melanoma Detection One of the great achievements of deep learning is image classification using convolutional neural networks. In the article “The Internet of Health” we find a clear example where this...
ElevenPaths Cyber Security Weekly Briefing February 13-19 Privilege escalation vulnerability in Windows Defender SentinelLabs researcher Kasif Dekel has discovered a new vulnerability in Windows Defender that could have been active for more than twelve years. The flaw,...
Gonzalo Álvarez Marañón Functional Cryptography: The Alternative to Homomorphic Encryption for Performing Calculations on Encrypted Data — Here are the exact coordinates of each operative deployed in the combat zone.— How much?— 100.000.— That is too much.— And a code that displays on screen the...